Configuring Network Permissions for PVC using vSAN File Service
search cancel

Configuring Network Permissions for PVC using vSAN File Service

book

Article ID: 385618

calendar_today

Updated On:

Products

Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid Management

Issue/Introduction

Access to the volume is not restricted and is open to all networks, whereas it should be limited to the cluster's IP DHCP range only.

Environment

Tanzu Kubernetes Grid 2.5x

Resolution

Management Cluster Context

  1. Fetch the vspherecsiconfig from the management cluster context:
    kubectl get vspherecsiconfig <workload-cluster-name> -o yaml > <workload-cluster-name>-vspherecsiconfig.yaml

  2. Edit the YAML file to add network permissions:
    vi <workload-cluster-name>-vspherecsiconfig.yaml

    Add the following under netPermissions:

    netPermissions:
      PERM-1:
        ips: "*"
        permissions: READ_WRITE
        rootsquash: false
     

  3. Apply the changes:

    kubectl apply -f <workload-cluster-name>-vspherecsiconfig.yaml
     

  4. Verify that the changes are applied by checking the secret:

    kubectl get secret <workload-cluster-name>-vsphere-csi-data-values -o yaml

Workload Cluster Context

     To confirm the changes are reflected in the workload cluster:

       verify the below vsphere config secret

         kubectl get secret vsphere-config-secret -n vmware-system-csi -o yaml

 

This process ensures the correct configuration of vspherecsiconfig and network permissions, with verification steps for both the management and workload clusters.

Additional Information

 

  • The vsphereCSI.netPermissions setting can be successfully applied and permissions can be updated in a class-based cluster.
  • However, the same configuration can not be updated in a legacy cluster.
Powered by Wolken Software